Extending attack surface in distributed environments

I am currently working in the RCNTEC company where I have a deal with distributed environments everyday. Once I had to work with the ISC BIND to implement DNS service and asked myself - are there only those DNS servers for domain are used, that are listed as NS servers for this domain? Are there really only two nameservers for ‘yandex.ru’ zone and four for ‘google.com’ zone?

Obviously, no. I think that a lot of companies, that have their work with Internet services, have distibuted DNS infrastructure standing behind load balancer, firewall or some kind of reverse proxy.

But how can we solve the mystery and get some info about backend DNS servers?

It was a time to dive into DNS.

Chaosnet

You can read more about Chaosnet here.
In two words, it is another network protocol working on Layer 3 of the ISO OSI.

Regarding DNS, Chaosnet was recognized as one of the network classes (with code CH) like IN (for Internet) and HS (for Hesiod).

Chaosnet is very interesting, because CH class is used frequently to serve zone ‘bind.’ containing several useful info about DNS server. I think that you know about ‘version.bind.’ record that allows you to determine DNS server version.

There is commonly used DNS fingerprint technique based on this record.

Great! We got server hostname. In my case, hostname is only internal server name. But what about distributed environments?

My experience said that this is very convenient and common to have servers hostnames equals with their external DNS names. In this case, with internal hostname we will get external DNS name too. And we can simply resolve external DNS name to obtain server IP.

Unhidens

I had written a small utility to run ‘dig’ against relay to determine versions, hostnames and resolve received hostnames.

Booom! We completely enumerated Yandex’s backend DNS-servers placed behind public machines. We can request hostnames and resolve them to get their addresses.

In case of Yandex all found machines were firewalled, so I was unable to contact them directly. But I tried unhidens against couple of other companies and sometimes I saw machines with vulnerable versions of the DNS software and even machines with opened TCP/53 port.

Conclusion

Information disclosure described in this article is not a critical bug, but can be used by attacker to extend attack surface.

Try unhidens against different domains and I am sure you will like this!

And remember that ‘bind.’ zone is not only ISC BIND feature - I saw a lot of different DNS servers affected to that information disclosure.

If you want to close this issue on your DNS servers, I recommend you to manually handle CH zone ‘bind.’.

Just add something like that in ‘named.conf’ in case of using ISC BIND::

This is not the easiest way to hide your version and hostname, but with this configuration you are able to log requests to the ‘bind.’ zone - and track all clients trying to request sensitive info about your machines.